[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Iceweasel and web browsers vulnerabilty concerning poodle.

I would like to point out what security.tls.version.min actually does:


Setting security.tls.version.min to 1 allows TLSv1.0 to be used, which is vulnerable to a similar padding oracle attack (and timing oracle attacks) found long ago.  You should be using a value of 2 for this setting.


On 10/16/2014 10:28 AM, Marco Galicia wrote:

As I know, a new vulnerability called poodle has been discovered regadirng https. This vulnerabilty takes advantage of the ssl 3.0, and forcecs the https protocol to use this outdated protocol.

I have been told that a fix for this vulnerabilty is to disable the use of this protocol in the web browsers.

In inceweasel:
change this option in about:config

to 1

shoulnd't iceweasel be recompiled to include this option in the complilation settings??
Can it be done officially in debian??
Can this be done also for other web browsers??

If if is not possible to do ti officially??
How can i do it?? What would be the compilation parameter, something like " /.config  --security.tls-version.min.1??

I have obtained the info from this webiste.

http://www.dmdcosillas.org/2014/10/que-demonios-no-hay-dos-sin-tres/  (in spanish)
Por favor, evite enviarme documentos adjuntos en formato Word Excel o PowerPoint.
Como alternativa puede enviarme documentos en formato odt, odx u ods, además de documentos en formato pdf
Si realmente es necesario enviarme un documento en formato Word, por favor utilize el formato .doc en lugar de .docx

Vea http://www.gnu.org/philosophy/no-word-attachments.html

Reply to: